Merge pull request #6972 from aspectcapital/powershell-system-account

Allow Powershell provisioner to use service accounts

provisioner/powershell/elevated.go

@@ -19,11 +19,11 @@ $log = [System.Environment]::ExpandEnvironmentVariables("{{.LogFile}}")
 $s = New-Object -ComObject "Schedule.Service"
 $s.Connect()
 $t = $s.NewTask($null)
-$t.XmlText = @'
+$xml = [xml]@'
 <?xml version="1.0" encoding="UTF-16"?>
 <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
   <RegistrationInfo>
-	<Description>{{.TaskDescription}}</Description>
+    <Description>{{.TaskDescription}}</Description>
   </RegistrationInfo>
   <Principals>
     <Principal id="Author">
@@ -59,9 +59,20 @@ $t.XmlText = @'
   </Actions>
 </Task>
 '@
+$logon_type = 1
+$password = "{{.Password}}"
+if ($password.Length -eq 0) {
+  $logon_type = 5
+  $password = $null
+  $ns = New-Object System.Xml.XmlNamespaceManager($xml.NameTable)
+  $ns.AddNamespace("ns", $xml.DocumentElement.NamespaceURI)
+  $node = $xml.SelectSingleNode("/ns:Task/ns:Principals/ns:Principal/ns:LogonType", $ns)
+  $node.ParentNode.RemoveChild($node) | Out-Null
+}
+$t.XmlText = $xml.OuterXml
 if (Test-Path variable:global:ProgressPreference){$ProgressPreference="SilentlyContinue"}
 $f = $s.GetFolder("\")
-$f.RegisterTaskDefinition($name, $t, 6, "{{.User}}", "{{.Password}}", 1, $null) | Out-Null
+$f.RegisterTaskDefinition($name, $t, 6, "{{.User}}", $password, $logon_type, $null) | Out-Null
 $t = $f.GetTask("\$name")
 $t.Run($null) | Out-Null
 $timeout = 10

provisioner/powershell/provisioner.go

@@ -190,11 +190,6 @@ func (p *Provisioner) Prepare(raws ...interface{}) error {
 			errors.New("Only one of script or scripts can be specified."))
 	}
 
-	if p.config.ElevatedUser != "" && p.config.ElevatedPassword == "" {
-		errs = packer.MultiErrorAppend(errs,
-			errors.New("Must supply an 'elevated_password' if 'elevated_user' provided"))
-	}
-
 	if p.config.ElevatedUser == "" && p.config.ElevatedPassword != "" {
 		errs = packer.MultiErrorAppend(errs,
 			errors.New("Must supply an 'elevated_user' if 'elevated_password' provided"))

provisioner/powershell/provisioner_test.go

@@ -148,8 +148,8 @@ func TestProvisionerPrepare_Elevated(t *testing.T) {
 	config["elevated_user"] = "vagrant"
 	err := p.Prepare(config)
 
-	if err == nil {
+	if err != nil {
-		t.Fatal("should have error (only provided elevated_user)")
+		t.Fatal("should not have error")
 	}
 
 	config["elevated_password"] = "vagrant"

website/source/docs/provisioners/powershell.html.md

@@ -120,6 +120,14 @@ Optional parameters:
     "elevated_password": "{{.WinRMPassword}}",
     ```
 
+    If you specify an empty `elevated_password` value then the PowerShell
+    script is run as a service account. For example:
+
+    ``` json
+    "elevated_user": "SYSTEM",
+    "elevated_password": "",
+    ```
+
 -   `remote_path` (string) - The path where the PowerShell script will be
     uploaded to within the target build machine. This defaults to
     `C:/Windows/Temp/script-UUID.ps1` where UUID is replaced with a dynamically